-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
if URL_METRICS are enabled, all urls are recorded. this leads to really high cardinality of tags for the prometheus metrics "keycloak_request_duration_bucket" if an attacker tries random non existent urls.
Some tag examples:
resource="realms,auth/realms/myrealm/administrador" resource="realms,auth/realms/myrealm/administrat" resource="realms,auth/realms/myrealm/adminpro" resource="realms,auth/realms/myrealm/admins" ....
Ideally the resource should be written only as "URI_NOT_FOUND" (like java spring does) or other constant value by checking the statuscode and rewriting the uri for 404.
if URL_METRICS are enabled, all urls are recorded. this leads to really high cardinality of tags for the prometheus metrics "keycloak_request_duration_bucket" if an attacker tries random non existent urls. Some tag examples: resource="realms,auth/realms/myrealm/administrador" resource="realms,auth/realms/myrealm/administrat" resource="realms,auth/realms/myrealm/adminpro" resource="realms,auth/realms/myrealm/admins" .... Ideally the resource should be written only as "URI_NOT_FOUND" (like java spring does) or other constant value by checking the statuscode and rewriting the uri for 404.
High cardinality http metrics on 404 responses
-
Unassigned
-
Daniel Princzkel (Inactive)
- Votes:
-
0 Vote for this issue
- Watchers:
-
1 Start watching this issue
- Created:
- Updated: